By now you have probably heard about the infamous “npm-gate” that swept through the developer community
over the last week. It has been
brought up,
discussed,
covered,
meta-discussed,
satirized, and even featured by
some mainstream media.
Evidently the nerds have managed to stir up some serious trouble again, and it only took them 11 lines of
that strange thing they call “code”.

No good things in small packages

When looking for a culprit, the one party that everyone pounced on immediately was of course
the npm itself. With its myriad of packages that could each fit in a tweet, it invites to create
the exact house of cards we’ve seen collapse.

This serves as a good wake-up call, of course. But it also compels to throw the baby out with the bathwater,
and draw a conclusion that may be a little too far-fetched. Like perhaps declaring the entire idea of
managing dependencies “the npm way” suspect. If packages tend to degenerate into something as ludicrous as
isArray — to say nothing of
left-pad, which started the whole debacle — then maybe this approach
to software reusability has simply bankrupted itself?

A world without *pm

I’m right away responding to that with a resounding “No!”. Package management as a concept is not responsible for
the poor decision making of one specific developer collective. And anyone who might think tools like npm do more
harm than good I ask: have you recently written any C++?

See, C++ is the odd one among languages that at least pretend to be keeping up with the times. It doesn’t present
a package management story at all. That’s right — the C++ “ecosystem”, as it stands now, has:

no package manager

no repository of packages

no unified way of managing dependencies

no way to isolate development environments of different projects from one another

Adding any kind of third-party dependency to a C++ project — especially a portable one, which is allegedly one of C++’s
strengths — is a considerable pain, even when it doesn’t require any additional libraries by itself. And environment
isolation? Some people are using Linux containers (!) for this, which is like dealing with a mosquito by shooting it
with a howitzer.

To build a C++ binary, you must first build the userspace.

But hey, at least they can use apt-get, right?…

So, string padding incidents aside, package managers are absolutely essential. Sure, we can and should discuss
the merits of their particular flavors and implementation details —like whether it’s prudent to allow “delisting”
of packages. As a whole, however, package managers deserve recognition as a crucial part of modern language tooling
that we cannot really do without.